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DETAILED ACTION 



Election/Restrictions 

1 . Restriction to one of the following inventions is required under 35 U.S.C. 121 : 

I. Claims 1-24 and 32-74. drawn to a network architecture that includes 
access control, classified in class 726, subclass 3. 

II. Claims 25-31, drawn to a data structure, classified in class 707, subclass 
101. 

Inventions I and II are drawn to a network architecture and a data 
structure respectively are related as combination and subcombination. 
Inventions in this relationship are distinct if it can be shown that (1) the 
combination as claimed does not require the. particulars of the subcombination as 
claimed for patentability, and (2) that the subcombination has utility by itself or in 
other combinations (MPEP § 806.05(c)). 

In the instant case, invention ( I ) a network architecture does not need 
particulars of a data structure and it can be used simply by specifying a topology 
of network nodes and ( II ) has separate utility such as a data structure that can 
be used in non-network (e.g. single computer) environment.. See MPEP § 
806.05(d). 

Because these inventions are distinct for the reasons given above and the 
search required for Group I, a network architecture is not required for Group II. a 
data structure, restriction for examination purposes as indicated is proper. 
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Applicant is reminded that upon the cancellation of claims to a non-elected 
invention, the inventorship must be amended in compliance with 37 CFR 1 .48(b) if 
one or more of the currently named inventors is no longer an inventor of at least one 
claim remaining in the application. Any amendment of inventorship must be 
accompanied by a request under 37 CFR 1 .48(b) and by the fee required under 37 
CFR1.17(i). 

2. A telephone call was made to David A. Morasch (509.242.2173) on 8/25/05 to 
request an oral election to the above restriction i^equirement. Group I (claims 1-24 
and 32-74) has been elected with traverse. 

3. Claims 1-24 and 32-74 have been examined. 

Oath/Declaration 

4. The title of the invention is missing in the declaration and as result it is not clear to 
which application does the declaration refer. 

5. ABSTRACT -OK 

Claim Objections 

6. 
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Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particulaily pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

7. Claims 1 1-12, 16, 19 and 38-40. 

8. In various claims applicant recites that a network determines from trusted 
namespaces (sometimes presented as trusted link data structured comprising 
namespaces) where to communicate an authentication request. The limitations are 
not understood. The limitations are presented in various scenarios. For example, in 
claims 19 and 20 the first network system maintains trusted namespaces 
corresponding to the second network system and the second network determines 
from the trusted namespaces where to communicate an authentication request but 
claim 1 8 for example suggests that the first network system maintains trusted 
namespaces corresponding to the second network system and the first network is 
configured to detennine from the trusted namespaces where to communicate an 
authentication request . In other words, the limitations as claimed suggest that both 
the first and the second network determine from the same data (the trusted 
namespaces) that is held at one and the same network (the first network) where to 
communicate an authentication request, and as a result it is not clear whether a part 
of operation of the network architecture (e.g. request and receipt of the trusted 
namespace data) is missing or whether there is some inconsistency of where the 
trusted namespaces are maintained. 
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9. Applicant should check all the claims for similar issue so that the claim limitations 
are clear, consistent and complete. 

10. Claim 19 recites: "is configured to determine from the trusted namespaces where to 
communicate an authentication request resulting from access to a resource, the 
request received for an account managed in the first network". The limitation is not 
understood. Commonly an access to a resource is a result of an authentication 
request and not vice versa. Furthermore, the limitation is convoluted. It is not clear 
whether "the request" is directed towards "the authentication request" (the only prior 
recited request) and if so the limitation is not clear. It suggests that access to a 
resource triggers an authentication request for an account. The limitation as cited 
makes no sense and is not presented in the drawings and the specification. The 
examiner believes that claim 19 contains the typographical error, wherein "for" 
should be treated as "from" as cited in other claims, e.g. claims 11, 38-40 etc. 

1 1. A similar problem is observed in claims 12 and 20. 

12. In claim 16 it is not clear whether the limitation: "automatically designate which of the 
namespaces are trusted by the first network system" refers to the data structure or to 
the first network system. 

13. Furthermore, the claim limitation conflicts with the specification, which explicitly 
underlines that no automatic trust (and not automatic trust) is used in the invention, 
e.g. "the namespaces received from the trusted forest are not automatically trusted" 
(pg, 19 lines 3-8) and "all of the domainID records identifying a subordinate domain 
in the same forest will automatically not be trusted" (pg. 21 lines 8-9). 
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14. There are several main limitations in the seventy four claims presented by applicant, 
wherein a variety of combinations is built. However, there are essentially only a few 
main limitations that read on all the limitations presented by applicant. For clarity of 
prosecution the examiner groups claims by the main limitations, which are explicitly 
addressed rather than discussing each of the combination that can be derived. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

15. Claims 1-9, 32-37, 51, 60, 65 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over each of Deuby, Olsen and Schultz. 

16. Deuby, Olsen and Schultz teach Windows 2000 architecture. 

17. As per claims 1-2 Deuby teaches Windows 2000 domain tree (Deuby, Fig. 3.2 pg. 
59 and Fig. 3.8 pg. 66) and a forest that are networks including one or more 
domains (Deuby, Fig. 3.10 pg. 68). 

18. A forest is a separate entity and as a result two different forests as shown by Olsen 
(Olsen, Fig. 4. 12, pg. 104 and Fig. 4.9 pg. 102), .and two forests read on: a first 
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network system including one or more first network system domains and a second 
network system including on or more second network system domains, the second 
network system being autonomous from the first network system such that the first 
network system domains are administratively independent from the second network 
system domains. 

1 9. Sc/?y/fz teach transitive trust and explains that Windows NT's group inclusion rules 
do not allow a local group to be included in any other group and as a result no 
transitive trust is present in Windows NT CTransitive Trust) pg. 184), 

20. Olsen shows a trust link between a first network system root domain and the second 
network system root domain (Olsen, Fig. 4,9 pg, 102), which reads on "a trust link 
between a first network system root domain and a second network system root 
domain". 

21. 0/sen do not explicitly that the trust link provides transitive resource access between 
the one or more first network system domain and the one or more second network 
system domains. 

22. Schultz teaches transitive trust (Schultz, "Transitive Trust, pg. 184) and Deuby 
discloses implementation of a transitive trust within Windows 2000 environment 
teaching that a domain tree starts at the root domain and that requests from one 
branch of the domain tree to another branch that isn't a parent or child domain must 
be referred through the root domain (Deuby, "The Root Domain", pg. 225-226 which 
also refer the reader to Fig. 3.9 on pg. 67). 
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23. It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to configure the trust link to provide transitive resource access between the 
one or more first network system domains and the one or more second network 
system domains as taught by Deuby. One of ordinary skill in the art would have 
been motivated to perform such a modification in order to allow easy resource 
access between trusted domains. 

24. The transitive link between the roots inherently provides transitive security 
associations between the one or more first network system domains and the one or 
more second network system domains (e.g. transitive resource access between the 
one or more first network system domains and the one or more second network 
system domains) 1-2. 

25. The purpose of a trust link is so that resources from one network are accessible to 
another network. 

26. Any security features e.g. trust links are initiated by administrators, and the 
administrators are able to administer only their own networks. As a result, 
administrators of the first network system can only set up a trust link such that an 
account in the second network system can access resources in the first network 
system. When both network administrators initiate the transitive trust links the two- 
way trust links are established (e.g, Olsen, Fig. 4.9, pg. 102), 8-10 

27. The links inherently allow connection to resources and access domain to resources 
requires authentication. 
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28. Claims 10-24. 38-50, 52-59. 61-64, 66-74 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Deuby, Olsen and Schultz in view of Hadfield. 

29. Deuby, Olsen and Schultz teach Windows 2000 architecture as discussed above. 
Windows 2000 use namespaces that clearly and individually identify resources (e.g. 
Olsen, Fig. 4.7 pg. 100 and Fig. 4.3 pg. 94). 

30. Deuby, Olsen and Schultz do not explicitly teach that the trust link data structure 
contains trusted namespaces. 

3^. Hadfield teaches details of setting up trust links and specifically teaches that in order 
to set up trust links one must define trusting entities (e.g. trusting domains) in trusted 
entities (e.g. trusted domains) (Hadfield, pg. 124-125) and trusted entities must be 
defined in trusting entities (Hadfield, pg. 126). 

32. This clearly shows that Windows 2000 environment as taught by Deuby, Olsen and 
Schultz one also must set up trust links by defining trusting entities in trusted entities 
and trusted entities in trusting entities as taught by Hadfield. Even if it was not the 
case it would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to set up a trust link as taught by Hadfield for motivation of 
benefit of allowing trusting entities to identify trusted entities and allowing trusted 
entities to identify trusting entities. 

33. As discussed above Hadfield teaches building trust links, which constitutes defining 
and storing data defining trusted entities in trusting entities and defining trusting 
entities in trusted entities. Although Hadfield does not explicitly teach that the trust 
links are data structures in the art of computing, data structures are fundamental 
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concepts in building computer data and are commonly used for the purpose of 
keeping information. As a result, it would have been obvious to one of ordinary skill 
in the art at the time of applicant's invention to express the trust links as data 
structures. One of ordinary skill in the art would have been motivated to utilize data 
structure for a quick access and information retrieval relevant to the trust links. 

34. As discussed above the trust link between the first network system and the second 
network system is established through network system root domains and it would be 
implicit to configure the root domains to maintain the trust link data structures. 

35. Hadf/e/d teach Windows NT environment, which is a predecessor of Windows 2000. 
As noted above Windows 2000 introduced namespaces to identify clearly and 
individually the resources. As a result, it would have been obvious to one of ordinary 
skill in the art at the time of applicant's invention, to include trusted namespaces in 
the trust link data structures. One of ordinary skill in the art would have been 
motivated to perform such a modification in order to clearly identify trust relationship 
entities. 

36. It is well known in the art to use namespaces in network architecture. Namespaces 
allow a quick and precise determination of a resource origin as evidenced by Olsen 
(Fig. 4.7, pg. 100 and Fig. 4.9 pg. 102). For example, Windows 2000 utilize 
namespaces. In fact on pages 55-57 Deuby talks about the benefits of using 
namespaces. As a result, extending trust links as taught by Hadfieldio use 
namespaces would have been an obvious choice given the benefit of a quick and 
precise resource location resolution. 
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37. Deuby. Olsen and Schultz in view of Hadfielddo not explicitly teach that a network 
detemnines from trusted namespaces where to communicate an authentication 
request. However, this limitation is implicit. The purpose of establishing a trust 
relationship between network systems is to allow an object of one network system to 

. access resources of another network system. Access to network systems' 
resources is restricted to authenticated objects (e.g. Schultz, "Security Reference 
Monitor", pg. 68) and as a result in order to handle a request (whether it is a 
resource request requiring authentication or simply an authentication request) a 
network system receiving the request must determine the authentication authority for 
the particular request. As mentioned above, requests to resources from one 
network system to another network system (connected with a trust link) are 
expected. Also, as mentioned above the two network systems as taught by Deuby, 
Olsen and Schultz are administratively independent. As a result, it is implicit that a 
network system receiving a request to the resource that is not found within the 
particular network resource will attempt to use any other information to resolve the 
request (in this case the trust link data structure and based on the findings decides 
where to communicate the request). Could be to the resource or to failure log or 
something like this. 

38. Deuby, Olsen and Schultz in view of Hadfield do not explicitly teach identifiers in 
relationship to trust links. 

39. However, it is old and well known in the art to use identifiers to uniquely identify an 
object (e.g. Hadfield pg. 166-167). It would have been obvious to one of ordinary 
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skill in the art at the time of applicant's invention, to use identifiers in network 
systems connected with trust links (e.g. include identifiers in trust link data 
structures) given the of benefit of authenticating and granting pemiissions to a 
requester. 

40. Lastly, it would have been implicit to reject any duplicate identifiers (e.g. security 
identifiers or network system identifiers) in order to ensure the proper identification of 
an object or an entity. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is 
(571)272-3840. The examiner can normally be reached Monday through Thursday 
from 9:00 a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on (571) 272-3838. The fax phone 
number for the organization where this application or proceeding is assigned is 
(571)273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more infonnation about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



